Académique Documents
Professionnel Documents
Culture Documents
Power sys
ccording to the latest OFGEM report on the performance of the transmission and distribution systems in Great Britain, each customer was without supply for an average of 86 minutes. Problems due to the transmission system or the generating plants accounted for only about 1O h of this unavailability. At first glance, we could therefore conclude that the performance of the transmission system is so good that we need not devote too much effort and resources to making sure that the level of security does not deteriorate. Such a conclusion, however, would be completely erroneous. To convince ourselves of the importance of remaining vigilant about the security of the transmission system, let us consider the following scenario. Imagine that around 8:30am on a cold Wednesday morning, an unpredictable failure compounded by plain bad luck causes the collapse of the entire power system of Great Britain. Millions of commuters are stuck in enormous traffic jams or left stranded on the rail network. Those who manage to get to work are sent home because the offices are dark and the factories are silent. Meanwhile at the national control centre and at stations and substations around the country, engineers are working diligently to restore the power system to its normal state. The task they face is huge and complex. All the power plants have been shut down by their protection system during the collapse and need to be resynchronised. Restarting a thermal plant requires a substantial amount of power that must be brought in from the small number of plants that have black-start capability In addition, the transmission network does not behave as it usually does because very little load and very few plants are connected. Because large overvoltages and wild frequency fluctuations could damage the equipment or cause disastrous setbacks in the restoration process, the operators work very cautiously. If everything works according to plan, all consumers could be reconnected within 8-10 hours. On the other hand, since the system is mostly thermal and since there is no handson exDerience with a full-scale black-start restoration in Great Britain, the potential
Incidents on the electri transmission system hav probability but a high i phenomena that have thi characteristic are difficu When a major problem has n happenedfor a long time, the natural tendency to wonder security measures are not too s
delays and mishaps 1s SudStantial. It is ther possible that some con almost a whole day resumes. The bottom line is sim blackout could easily cause 10-20 years worth of normal one day. In monetary terms,
plying the energy not served by a factor called the value of lost load (VOLL), which is determined using customer surveys.* This
i\
devoted to cleaning up and restarting business and industrial processes. The economic cost of a one-day blackout could amount to about include deaths
~~
~-
to a partial or total collapse of the power system. Before discussing how to measure and maintain the security of a power system, it is useful to review the various mechanisms that could cause load disconnections. Frequency collapse If a large and fully loadeid generating plant is suddenly disconnected from the rest of the power system, the amount of power produced no longer matches the load. This deficit draws down the kinetic energy :;tored in the rotating machines connected to the system. As the rotational speed of these machines decreases, the frequency of the system drops. If the loaageneration balance is not restored quickly enough, the frequency may drop to the level where the protection relays of some generators disconnect them from the system to protect these valuable assets from damage. These disconnections exacerbate the deficit of generation and the possibility of collapse. Cascading thermal overloads Consider the simple example shown on Fig. 1. Two identical 100 MVA transmission lines connect the western and eastern areas of a power system. If generation in the western area is much cheaper than in the eastern area, economics make it desirable to transmit power from west to east using the two transmission lines. Under normal conditions, each of these lines could carry up to 100 MW. However, if the system is operated in this fashion and one of the lines fails, the loading on the remaining line suddenly jumps to twice its thermal rating. This line is now severely overloaded and begins to sag. Within minutes its clearance drops below the safe level and a second fault occurs, severing the remaining tie between the two parts of the system. The eastern area of the system suffers from a generation deficit that might cause a frequency collapse. Transient instability The power transfer capacity of the transmission system decreases significantly during a fault. Some of the generating units will therefore be unable to inject into the system all the mechanical power supplied by their prime mover. This excess energy is transformed into kinetic energy and these ,generators accelerate. Once the fault is cleared, the transmission system recovers some of its transmission capacity. Under normal circumstances, the generators that have started accelerating slow
POWER ENGINEERING JOURNAL OCTOBER 2002
In a system that consists of tens of thousands of components, the failure of a single component is not a rare event. This is particularly true if some of these components (such as the transmission lines) are exposed to inclement weather conditions and others (such as the generating plants) are subjected to repeated changes in operating temperature. Under normal conditions, the failure of a single element of a power system does not have wider repercussions. The faulted or failed component is taken out of service and the system continues to operate normally while the failed component is repaired or replaced. Occasionally, however, one of these random and unavoidable failures triggers a sequence of events that leads
Table 1 Some of the large disturbances that have affected the power systems of industrialised countries (part of the information was obtained from Reference 3)
I
New England New York City France Greece Sweden Netherlands Portugal United Kingdom Tokyo Belgium Spain Israel western USA 1965 1977 i 978 1983 1983 i984 1985 i 986 i 987 1990 1993 1995 1996
of demand
242
western area
1 Simple example illustrating cascading thermal overloads: (a) Pre-fault conditions; [b) Post-fault conditions; and (c) Conditions after the thermal overload trip
200 MW excess
200 MW excess
generation
load
western area
eastern area
0 MW
western area
eastern area
200 MW surplus
200 MW deficit
C
in generation
in generation
down and the system recovers a uniform frequency. On the other hand, if the system is heavily loaded, it may not be able to handle the power transfers required to decelerate the affected generators. The differences in voltage angle between different parts of the system may continue to increase. Various protection devices would then detect an abnormal situation and would act to safeguard the equipment. Groups of generators may be shut down or split from the rest of the system. Other parts of the system may be left with large generation deficits. The frequency in these islands would then quickly collapse. Voltage instability In addition to the well-known active power balance, the steady-state operation of a power system requires a balance between the reactive power consumed and the reactive power produced. Under heavy load conditions, most of the reactive power is consumed as 12X losses in the transmission lines and the transformers. The generators and the reactive compensation devices must supply these reactive losses. If the reactive power needed in a given area.cannot be
POWER ENGINEERING JOURNAL OCTOBER 2002
supplied by a local source, the voltage in this area will drop to make possible the import of reactive power from other sources. Under heavily loaded conditions, the sudden outage of a transmission line or of a generator may put the system in a state where it cannot supply the reactive power needed to maintain the voltage. As the system tries to supply more reactive power, the voltage drops, further increasing the need for reactive power. If the load consists in large part of induction motors (e.g. those used for air conditioning), such a voltage collapse may take only a few seconds. A collapse could also be driven by on-load tap-changing transformers trying to maintain the distribution voltage constant. In this case, the process may take up to 20 minutes, giving the operator at least a chance to take corrective actions. Hidden failures Modern power systems are equipped with a variety of protection devices designed to identify dangerous situations and isolate the affected equipment quickly. Most of the time these devices operate as expected and therefore help maintain the stability and security of the
243
illustratingthe cost of re-dispatching for security purposes: (a)Economic dispatch: total cost = f5000; and ( )Secure dispatch: 6 total cost = f5200
12 per MWh
western area
eastern area
system. Occasionally however, in response to a disturbance in the system, the protection system malfunctions and disconnects a healthy piece of equipment in addition to the faulted one. Such a malfunction transforms what should be a routine fault clearing into a major incident because two components are disconnected rather than one. If this double disconnection occurs when the system is under stress, it can trigger a voltage collapse or a cascading thermal overload. Protection malfunctions are caused by hidden failures, i.e. defects in the protection system that remain hidden until they are exposed by a fault or other abnormal condition. A study4 of significant disturbances reported to the North American Electric Reliability Council for the period from 1984 to 19915 indicates that the protection system was a contributing factor in almost 70% of all major disturbances.
secure. It is always possible to devise a sequence of events that will lead to a total or partial collapse of the system. The probability of such a sequence of events may be very small but it will never be zero. At the other extreme, a power system operating on its stability limit has zero security because any deterioration in its condition (such as the outage of a component or a small increase in load) will result in the disconnection of at least some consumers. There are various typrs of actions that the operator of a power system can take to improve the security of the system in its charge. These measures can be classified in terms of their cost and in terms of the time at which they are implemented. Cost-based classification As we concluded from the discussion of the mechanisms that lead to major incidents, the security of the system is reduced when active power transfers are high and when reactive support is insufficient. Actions that affect the provision and flow of reactive power have an almost negligible cost compared to actions involving active power because no energy needs to be consumed to produce Mvars. When an operator is concerned about a potential voltage problem, the first thing that he or she will do is thus to adjust the transformer taps or the voltage set-points of generators and
POWER ENGINEERING JOURNAL OCTOBER 2002
Providing security Since it is impossible to eliminate completely random faults and failures, measures must be taken to reduce the likelihood that disturbances degenerate into major incidents involving the disconnection of consumers. We will therefore define power system security as the ability of the system to withstand unexpected failures and continue operating without interruption of supply to the consumers. A power system can never be totally
244
instability. Given the characteristics of the system, it is possible to calculate the maximum amount of power that can be transferred without unduly endangering the security of the system. Sophisticated transient and voltage stability analysis programs have been developed in recent years to calculate these limits accurately. Transmission lines and other transmission equipment are normally taken out of service only when they need to be maintained. Cancelling the maintenance on some equipment so it can be returned to service increases the transmission capacity of the system and therefore reduces the amount of generation that needs to be re-dispatched to maintain security. In the short run, delaying maintenance can therefore be a cost-free security action. Maintenance, however, cannot be postponed for ever without increasing the risk of failure. The schedule of equipment maintenance should be developed in such a way that the most critical equipment is taken out of service only when its unavailability does not impose a very costly, security-driven redispatching We can therefore conclude that, notwithstanding the provision of reactive support and the intrinsic strength of a power system, security considerations always impose a limit on the amount of power that can be transferred and often require a generation dispatch that is not the most economic one. Timing-based classification Security measures can also be divided into preventive, corrective and desperate actions. Preventive actions are intended to help the system ride through possible disturbances without immediate operator intervention. Since disturbances can occur at any time, preventive actions must be in effect at all times. Preventive measures that involve redispatching generation are thus very costly. It would be preferable to maintain the security of the system by reacting to unanticipated events. The cost of such corrective actions is much lower because they are implemented only when needed. Going back to the example of Figs. 1 and 2 we see that, if it were possible to increase the generation in the eastern area to relieve the cascade overloading before it causes the second line to trip, we would not have to deviate from the economic dispatch. Even if the price of the energy provided by the generation in the
Security factors always impose a limit on the amount of power that can be transferred
245
at the principles, techniques, advantages and disadvantages of both approaches. Binary security assessment It is intuitively clear that single contingencies (i.e. losing a single piece of equipment because of a fault) are much .more frequent than multiple contingencies. Binary security assessment takes this observation to the extreme. It postulates that the probability of two simultaneous independent faults or failures is so small that such events do not deserve to be considered. The set of credible contingencies therefore typically contains the outage of all network components (branches, generators and shunt elements) taken separately. In Britain, since most transmission corridors consist of two parallel circuits strung on the same towers, the simultaneous outage of both circuits due to a problem with one of the towers is considered credible. This clear but artificial distinction between credible and non-credible outages makes possible a very simple form of security assessment. At any given time, to be considered secure, a power system must be able to withstand all of the credible contingencies. None of these contingencies should result in a thermal overload or the violation of a voltage or transient stability limit. If one or more of the credible contingencies would result in an unacceptable operating state, the system is deemed insecure. Preveniive action must then be taken to change the systems condition in a direction such that no credible contingency causes a violation of the operating limits. This approach to detecting possible security problems works only if the set of credible contingencies is clearly delineated. Enlarging the set to include less credible contingencies would lead to the detection of more and more problems and require possibly contradicting adjustments to the state of the system. .Binary security assessment thus provides unambiguous answers fairly quickly. On the other hand, it ignores the stochastic nature of the faults and failures that affect power systems. All credible contingencies are given the same weight, irrespective of the nature of the outaged component, its length and its exposure. At times, the security threshold that it enforces will be too strict because it treats all events as equally likely. A considerable amount of money may therefore be spent on preventive actions that are required because a credible but unlikely
POWER ENGINEERING JOURNAL OCTOBER 2002
contingency would violate one of the security limits. For example, the probability of a fault on a short line in good weather conditions may be very low and it may not be worth protecting the system against its potential outage. On other occasions, the system may collapse because the security assessment did not consider the possibility of multiple outages caused by hidden failures. Continuous security measurement To remedy the limitations of binary security assessment, we need to put security analysis on a firmer theoretical footing. This means recognising that security analysis should be done on a probabilistic and not a deterministic basis. Rather than classifying a contingency as credible because it involves only one component and another as non-credible because it involves two, we should attach a probability to each contingency. Since we are not limiting ourselves to a moderately small set of contingencies, we can no longer assume that the system is secure unless a contingency results in conditions that violate the normal operating limits. There will indeed always be combinations of outages that will force some load disconnection. Such contingencies may have very low probabilities but they exist and the system would thus always be considered insecure. We therefore need to define a ruler that will give us a continuous measure of the security of the system. This measure should combine the impact on the system of each contingency. To reflect the probabilistic nature of this approach, the impact of each contingency should be weighed by its probability. But how do we measure the impact of a contingency on the system? When the concepts of power system security were developed in the 1960s, cascading thermal overloads were the primary concern of power system operators. In that context, it made sense to assess security on the basis of branch overloads because these overloads would ultimately cause the branch to trip. Nowadays, thermal overload is often less of a problem than voltage or transient instability. Extending the measure of security to include violations of voltage limits does not make sense because an under-voltage condition will not necessarily result in a voltage collapse. It seems more appropriate to measure the impact of a contingency by the actual damage that it produces, i.e. by the amount of load
disconnection that it might cause. If we factor into our calculation the time required to restore the load following its disconnection, this index of security is similar to the Expected Energy Not Served (EENS) index that has been used by planning engineers for some years. Calculating this probabilistic index of security is not a simple matter because in theory we should take all possible contingencies into consideration. In practice some of these contingencies have such a low probability that their contribution to the index is negligible. Contingencies, however, should not be eliminated simply on the basis that their probability is very low. Som: of these low-probabihty contingencies hav6very
indication of the level of security in the syst Second, since all the contingencies are weig
Conclusions Incidents on the transmission system have a low probability but a high impact. All phenomena that have this characteristic are difficult to analyse. When a major problem has not happened for a long time, there is a natural tendency to wonder if the security measures are not too strict. This article has tried to clarify the concepts and principles that must be understood if this question is to be answered rationally. The behaviour of power systems is complex, particularly when they operate under abnormal conditions. Analysis tools have become much more sophisticated over the last few years and the enormous improvements in computing speed make possible the consideration of a much larger number of possible scenarios. There is, however, a considerable amount of work that remains to be done before we will be able to handle properly the stochastic nature of major incidents.
References
1 OFGEM: Report on Distribution and Transmission Performance 2000/2001, January 2002 2 KARIUKI, K. K., and ALLAN, R.N.: Evaluation of reliability worth and value of lost load, IEE Proc,Genel: Transm. Distrib., March 1996, 143,(2) 3 KNIGHT, U. G.: Power !systems i n emergencies (John Wiley & Sons, Chichester, UK, 2001) 4 TAMRONGLAK, S., HOROWITZ, S. H., PHADKE,A. G . , and THORP, J. 5.: Anatomy of power system blackouts: preventive relaying strategies, IEEE Transactions on Power Deliveiy, April 1996, 11, (21, pp. 708-715 5 North American Electric Reliability Council: Disturbances analysis working group database, http://www.nerc.com/dawg/
IEE: 2o02
Dr. Daniel Kirschen is with the Department of Electrical Engineering & Electronics, UMIST, PO Box 88, Manchester M60 lQD, IJK, e-mail: D.Kirschen@ umist.ac.uk
248
2002